70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture
Jan 02, 2016
70-294: MCSE Guide to Microsoft Windows Server 2003 Active
Directory, Enhanced
Chapter 4: Active Directory
Architecture
Guide to MCSE 70-294, Enhanced 2
Objectives
• Describe the underlying database of Active Directory
• Describe the Active Directory schema and how it can be extended
• Describe the different Active Directory partitions and their functions
Guide to MCSE 70-294, Enhanced 3
Active Directory Physical Database Storage
• Layers• Provide the directory service
• Include:• Extensible Storage Engine (ESE)
• Database layer
• Directory Service Agent (DSA)
Guide to MCSE 70-294, Enhanced 4
Active Directory Layers
Guide to MCSE 70-294, Enhanced 5
Active Directory Physical Database Storage
• Extensible Storage Engine:• Lowest level
• Directly responsible for manipulating database
• All objects stored in nonhierarchical form • Rows in database table
• Database layer:• Responsible for providing object-oriented hierarchical
view
Guide to MCSE 70-294, Enhanced 6
Active Directory Physical Database Storage (continued)
• Directory Service Agent: • Third layer
• Responsible for enforcing semantics • Govern how objects in Active Directory are created and
manipulated
• Only adjacent layers communicate with one another
Guide to MCSE 70-294, Enhanced 7
Extensible Storage Engine
• Active Directory store: • Transactional database
• Based on Extensible Storage Engine
• Transaction• Each addition, modification, or deletion
• Needed data is loaded from disk to memory
Guide to MCSE 70-294, Enhanced 8
Extensible Storage Engine (continued)
• Transaction • First thing that happens:
• Operation is logged to hard disk
• Modification transaction performs made to the in-memory copy of data
• Manipulating in-memory copy of data is faster that going to disk
Guide to MCSE 70-294, Enhanced 9
Extensible Storage Engine (continued)
• Least recently used:• Storing entire database in memory is not practical
• Move data that is no longer needed
• Write changes back to hard drive
• Least recently used algorithm to write to disk:• When memory is running low
• System is at a period of low activity
Guide to MCSE 70-294, Enhanced 10
Extensible Storage Engine (continued)
• Transactions:• ESE writes all transactions to log before they are made
to in-memory copy
• Next time domain controller starts, ESE can use transactions recorded in log
• Reapply changes to copy of data stored on hard disk
• Called recovering the database
• Done without user intervention
Guide to MCSE 70-294, Enhanced 11
Extensible Storage Engine (continued)
• Checkpoints:• Shorten recovery times
• Reduce amount of hard drive space logs take up
• Completed transactions written back to disk
• Fact that transactions were successfully written is noted
• ESE only needs to reapply transactions from point of last checkpoint
• Transactions can be deleted from log
Guide to MCSE 70-294, Enhanced 12
Active Directory File Structure
• Files:• NTDS.DIT
• EDB.LOG
• EDBXXXXX.LOG
• EDB.CHK
• RES1.LOG and RES2.LOG
• TEMP.EDB
Guide to MCSE 70-294, Enhanced 13
Active Directory Files
Guide to MCSE 70-294, Enhanced 14
NTDS.DIT
• Actual Active Directory store• Stores all objects and their attributes• Located in %SYSTEMROOT%\ NTDS folder on
domain controllers• Made up of three tables:
• Schema table
• Data table
• Link table
Guide to MCSE 70-294, Enhanced 15
EDB.LOG
• Current transaction log file• Changes to Active Directory are noted first in
transaction log file• Size of EDB.LOG is always 10 MB
Guide to MCSE 70-294, Enhanced 16
EDBXXXXX.LOG
• When EDB.LOG is filled, it is renamed to EDBXXXXX.LOG
• XXXXX is a number increased by one each time a new log file is created
• Every 12 hours:• Garbage-collection process runs
• Deletes old EDBXXXXX.LOG
Guide to MCSE 70-294, Enhanced 17
EDB.CHK
• Checkpoint file• System recovering from failure
• Uses EDB.CHK file to determine what transactions should be written to database
Guide to MCSE 70-294, Enhanced 18
RES1.LOG and RES2.LOG
• Placeholder files • Reserve disk space• If domain controller runs out of free disk space,
uses reserved space from files• Prevents updates from being lost due to
insufficient disk space• Important:
• Include additional free space to store Active Directory database as it grows
Guide to MCSE 70-294, Enhanced 19
TEMP.EDB
• Temporary storage space• Hold large transactions while they are in process• Used during maintenance operations
Guide to MCSE 70-294, Enhanced 20
LDAP
• Primary protocol used to work with objects in Active Directory
• Vital to understand how to use LDAP naming paths
Guide to MCSE 70-294, Enhanced 21
LDAP (continued)
• DN:• Every object in Active Directory has unique name
• Describes exactly where the object is located in the object hierarchy
• Made up of:• Name of the object
• All of parent objects above it in hierarchy
Guide to MCSE 70-294, Enhanced 22
LDAP (continued)• RDN
• Identifies object within its container• Contains only name of object
• Acronyms for object names:• DC (Domain Component)
• Part of a domain name
• OU (Organizational Unit)• Name of an organizational unit
• CN (Common Name)• Name of most objects
Guide to MCSE 70-294, Enhanced 23
LDAP (continued)
• Name example:• Lori Thompson located in dev.supercorp.net domain in
Research organizational unit
• DN: CN=Lori Thompson,OU=Research,DC=dev,DC=supercorp,DC=net
• RDN: CN=Lori Thompson
Guide to MCSE 70-294, Enhanced 24
Active Directory Schema
• All available objects and attributes• Sets out exactly:
• What kind of objects are represented
• What properties or attributes are required or optional
• What types of values are acceptable
• Tool needed to modify the schema is not available by default
Guide to MCSE 70-294, Enhanced 25
Activity 4-1: Registering Active Directory Schema Console
• Objective: Register the Active Directory Schema snap-in so you can view and modify the schema
• Follow instructions to register the console
Guide to MCSE 70-294, Enhanced 26
Naming
• Every object class and attribute in the schema must have:• Unique common name
• LDAP display name
• Object Identifier (OID)
Guide to MCSE 70-294, Enhanced 27
Common Name Rules
• Start name with registered DNS name of company • Separate each level of DNS name with hyphens (-)
instead of periods• Add another hyphen (-) at end of company’s name• Enter current year• Follow year with another hyphen (-)
Guide to MCSE 70-294, Enhanced 28
Common Name Rules (continued)
• Choose product-specific prefix • Must be unique within company
• Identifies product or application of class or attribute
• Should begin with uppercase letter with additional letters using capitalization of your choice
• Follow product-specific prefix with hyphen (-) • Enter name of class or attribute separated by
hyphens
Guide to MCSE 70-294, Enhanced 29
LDAP Display Name Rules
• Start with common name already created for class or attribute
• Make first character of product-specific prefix lowercase• Characters following first character may be uppercase
or lowercase
Guide to MCSE 70-294, Enhanced 30
LDAP Display Name Rules (continued)
• Make every character in class or attribute part of name that is preceded by a hyphen (-) uppercase
• Remove all hyphens (-) after product-specific prefix
Guide to MCSE 70-294, Enhanced 31
Example common names and LDAP display names
Guide to MCSE 70-294, Enhanced 32
OID
• OID space must be obtained separately• Not part of registered DNS domain name
• Two primary ways to obtain an OID space:• Through Microsoft
• International Standards Organization (ISO)
Guide to MCSE 70-294, Enhanced 33
Object Classes
• Definition of each type of object• Like a template from which objects are created• Inheritance• Class Types:
• Structural classes
• Abstract classes
• Auxiliary classes
• 88 classes
Guide to MCSE 70-294, Enhanced 34
Object Classes (continued)
• Possible superiors• Controls which types of objects new object can be
instantiated or moved under
• Example: user object cannot be created (or moved) under a printer object
Guide to MCSE 70-294, Enhanced 35
Activity 4-2: Creating a Structural Class
• Objective: Learn how to extend the Active Directory schema to include additional classes
• Use Active Directory Schema to create a new class
Guide to MCSE 70-294, Enhanced 36
Attributes
• Schema contains list of all possible attributes• Class is assigned both mandatory and optional
attributes• Object is sum of its attributes• Syntaxes
• Defines data type attribute can store
Guide to MCSE 70-294, Enhanced 37
Common Syntaxes
Guide to MCSE 70-294, Enhanced 38
Common Syntaxes (continued)
Guide to MCSE 70-294, Enhanced 39
Indexes
• Similar in concept to index in back of book• Store values (in order) for all objects that have a
given attribute• Speed up queries• Slow down creation of objects and updating of
attributes• Choose attributes that have highly unique values
Guide to MCSE 70-294, Enhanced 40
Activity 4-4: Adding an Optional Attribute to a Class
• Objective: Learn how to add additional attributes to a class
• Use the Schema console to add an attribute to a class
Guide to MCSE 70-294, Enhanced 41
Active Directory Partitions
• Database divided into groups called partitions, or naming contexts• Used to manage replication
• Partitions:• Schema partition
• Domain partition
• Configuration partition
• Application partition
Guide to MCSE 70-294, Enhanced 42
Active Directory Partitions (continued)
• ADSI Edit:• Included with Windows Server 2003 Support Tools
• Used to view and modify objects in various Active Directory partitions
Guide to MCSE 70-294, Enhanced 43
Active Directory Partitions (continued)
Guide to MCSE 70-294, Enhanced 44
Schema
• Stores schema• Contains definitions of all classes and attributes in
entire forest• Replicated to all domain controllers in forest
• Content is the same throughout forest
Guide to MCSE 70-294, Enhanced 45
Configuration
• Stores information about replication topology used in forest• Specifies how domain controller determines with which
other specific partners it replicates
• Found on all domain controllers • Same throughout forest
Guide to MCSE 70-294, Enhanced 46
Domain
• Contains users, computers, groups, and organizational units created in Windows domain
• Replicated to all domain controllers in domain• Large amount of data• Usually partition that changes most frequently
Guide to MCSE 70-294, Enhanced 47
Application
• Cannot contain security principals• Can be replicated to many different domains in
forest • Without necessarily being included on all domain
controllers
• Used when developer wants to store information in Active Directory
Guide to MCSE 70-294, Enhanced 48
Summary
• Active Directory is made up of several layers: • Extensible Storage Engine (ESE),
• Database layer
• Directory Service Agent (DSA)
• By logging all transactions, ESE can reapply transactions in event of system failure and bring data back to a consistent state
Guide to MCSE 70-294, Enhanced 49
Summary (continued)
• All objects and attributes available in Active Directory are defined in Active Directory schema
• To effectively manage replication of Active Directory, database is divided into groups called partitions